Versions Compared

Version Old Version 1 New Version 2
Changes made by

Juan Tomás Alonso Nieto (Deactivated)

Juan Tomás Alonso Nieto (Deactivated)

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Rw ui tabs macro
Rw tab
titleav.symantec.dcs_sa.auditing

Field

Type

Source field name

Extra fields

eventdate

timestamp

 

machine

str

vmachine

OPERATION_D

str

 

OSTYPE_D

str

 

RULE_NAME

str

 

DISPOSITION_D

str

 

USER_NAME

str

 

TARGET_INFO

str

 

EVENT_DT

timestamp

 

AGENTNAME

str

 

EVENT_TYPE_D

str

 

HOSTNAME

str

 

PROCESS_NAME

str

 

POST_DT

timestamp

 

DESCRIPTION

str

 

EVENT_SEVERITY_D

str

 

HOSTADDR

str

 

EVENT_ID

int4

 

EVENT_CATEGORY_D

str

 

RESOURCE_NAME

str

 

hostchain

str

 

tag

str

 

rawMessage

str

 

Rw tab
titleav.symantec.dcs_sa.events

Field

Type

Source field name

Extra fields

eventdate

timestamp

 

machine

str

vmachine

OPERATION_D

str

 

PROCESS_PATH

str

 

EVENT_TYPE

str

 

OSTYPE_D

str

 

USER_NAME

str

 

DOMAIN_NAME

str

 

EVENT_DT

timestamp

 

ASSET_RID

int4

 

AGENTNAME

str

 

POLICY_NAME

str

 

EVENT_SEQ

int8

 

EVENT_SOURCE_D

str

 

EVENT_TYPE_D

str

 

HOSTNAME

str

 

OSVERSION

str

 

PROCESS_NAME

str

 

POST_DT

timestamp

 

DESCRIPTION

str

 

EVENT_SEVERITY_D

str

 

HOSTADDR

ip4

 

EVENT_ID

int8

 

EVENT_CATEGORY_D

str

 

REMOTEIP

str

 

LOCALPORT

str

 

REMOTEPORT

str

 

DISPOSITION_D

str

 

RULE_NAME

str

 

hostchain

str

 

tag

str

 

rawMessage

str

 

Rw tab
titleav.symantec.sep.mail

Field

Type

Source field name

Extra fields

eventdate

timestamp

 

machine

str

vmachine

message

str

 

hostchain

str

 

tag

str

 

rawMessage

str

 

Rw tab
titleav.symantec.sepc.events

Field

Type

Field transformation

Source field name

Extra fields

eventdate

timestamp

 

 

machine

str

 

vmachine

srcHost

str

 

 

serverdate

str

 

 

eventId

int8

 

 

sourceName

str

 

 

username

str

 

 

logType

str

 

 

category

str

 

 

threat

str

Code Block
(eventId = 9) ? trim(subs(message, "(.*)Risk name:([^,]*+),(.*)", "\\2")) : null("")

message

eventId

action

str

Code Block
(eventId = 9) ? trim(subs(message, "(.*)Actual action:([^,]*+),(.*)", "\\2")) : null("")

message

eventId

message

str

 

 

hostchain

str

 

 

tag

str

 

 

rawMessage

str